“Bot” has become a household word, thanks to the many fraud and disinformation campaigns using fake, automated social media accounts to post or “like” bogus information. But with social media companies like Facebook and Twitter trying to crack down on fake accounts, scammers are turning to real people—or rather, hijacked accounts of real people—to get the message out.

According to a new report by Arkose Labs, a fraud and abuse prevention firm, 53% of login attempts on social media accounts are automated break-in efforts by fraudsters. Programs like Sentry MBA quickly run through millions of username and password combinations, culled from the endless stream of data breaches that are part of modern life.

“If that [hacked] user’s been on the platform for a couple of years, [the social media company] is much less likely to take action against them than they are against a brand-new, freshly created account,” says Kevin Gosschalk, CEO of Arkose Labs.

Scammers still create fake accounts, though: Arkose reports that 25% of all new social media account applications are fraudulent.

Some account takeovers are for misinformation; others are for money, often with sex as an enticement, says Gosschalk. Posing as the owners of real, compromised accounts, chatbots start flirting with people on social media, even flashing nude videos. If the target wants to continue the encounter, the bot says, they need to sign up for a (bogus) dating site—at which point they’d have to enter credit card details for scammers to exploit.

Crooks also use social media to test whether leaked logins might work other places, such as banking sites. “They do a lot of account validation attacks just to see if this particular account exists,” says Vanita Pandey, Arkose’s VP of marketing. “If it does, they . . . go and use that [login] on other websites, as well.”

In the same study, for instance, Arkose found that 9% of login attempts on financial services sites are by fraudsters, often trying the usernames and passwords that people far too often reuse on multiple sites. “People have done just a horrible job of protecting themselves online,” says Gosschalk.